MAL-2026-7011

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-alias/MAL-2026-7011.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7011
Published
2026-07-08T17:31:00Z
Modified
2026-07-08T17:46:44.041219791Z
Summary
Malicious code in events-alias (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (164642716a755117674746c1c2534b0ac47d56bed2348e7a800c3d37a98074e9)

The package's preinstall hook ("node index.js") runs automatically on npm install and executes an exfiltration payload. index.js requires child_process, os, http, and https, collects the installer's hostname, platform, arch, home directory, user info (username/uid/gid/shell), the output of whoami/id, and cwd, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package name 'events-alias' mimics the ubiquitous Node core 'events' module namespace but ships only this install-time recon/exfil payload; an undeclared ~10KB binary blob named 'i' also ships in the tarball but is not referenced from the executed code. Installing this package leaks installer identity/host reconnaissance data to attacker-controlled infrastructure.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "164642716a755117674746c1c2534b0ac47d56bed2348e7a800c3d37a98074e9",
            "id": "IN-MAL-2026-008171",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:40:19.849331827Z",
            "modified_time": "2026-07-08T17:31:00Z",
            "versions": [
                "15.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / events-alias

Package

Affected ranges

Affected versions

15.*
15.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "3b5141c515f65a251ba7b8494a4f9402b227e0033606de55bfcc8740af9537c9bf0bf6",
            "sha256": "97807c86a507cbabc4bbb48a63d172bf5119a7cbf9b6e17284daf3146ca1cb78"
        },
        {
            "path": "package.json",
            "tlsh": "20d05e204d21552325c50256182a948762618e6f24047c08a39b182c81ce27798ff35d",
            "sha256": "ac0e68353e0abc16a670e391f14219e95ccee234f78e3e1b157cc08973aec790"
        },
        {
            "path": "i",
            "tlsh": "d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123",
            "sha256": "5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a"
        }
    ],
    "package_integrity": [
        {
            "filename": "events-alias-15.0.1.tgz",
            "hashes": {
                "sha1": "e76b699e268e839e92f9b6f29ae91b72fa5ccfd9",
                "sha512_sri": "sha512-f3QbnSOf+8yT0+Od5wvtYZMmZMmVcQgRG1CB/UJ5RBpgLC7fmq3yWVLZnv2uPMc5esUKRzlzqJ0FtyYse6rPgw=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-alias/MAL-2026-7011.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]